[Freeipa-devel] Screens For HBAC Testing (Ticket #388)
Dmitri Pal
dpal at redhat.com
Thu Nov 10 23:41:04 UTC 2011
On 11/10/2011 12:06 PM, Endi Sukma Dewata wrote:
> On 11/9/2011 4:32 PM, Dmitri Pal wrote:
>> Since "from" host is unreliable, one of the latest decisions in SSSD was
>> to ignore "from" host part of the rule by default (causes a lot of
>> performance issues too) and have a config parameter to explicitly not
>> ignore it. I think the UI should reflect in some way that "From" should
>> not be generally used and not an "equal" citizen of the HBAC rule. We
>> probably should update the existing UI too to discourage people from
>> using it and also document it in man pages for HBAC and in the docs.
>
> In HBAC test we can add a note saying the source host is optional. In
> HBAC rule the default source host category is 'all', which has the
> same effect. Should we display a warning when the category is changed?
Probably. Some reasonable indication should be used.
>
> The CLI will be changed to accept empty source host:
> https://fedorahosted.org/freeipa/ticket/2085
>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-devel
mailing list